1 / 64

CSIS 4823 Data Communications Networking – Firewalls

CSIS 4823 Data Communications Networking – Firewalls. Mr. Mark Welton. Firewalls. Firewalls are devices that prevent traffic from entering or leaving a network

magee
Download Presentation

CSIS 4823 Data Communications Networking – Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSIS 4823Data Communications Networking – Firewalls Mr. Mark Welton

  2. Firewalls • Firewalls are devices that prevent traffic from entering or leaving a network • Firewalls are often used between networks, or when a network connects to another network, such as the Internet or business partners • Firewalls can be standalone appliances, software, or integrated modules in other devices • VPN services are often also supported on firewalls

  3. Firewalls • Basic Security Practices: • Keep it simple • Monitor your logs • Deny everything • Everything not mine is firewalled

  4. Firewalls • Keep it simple – make security rules easy to read and understand, use naming conventions over numbering schemes • Monitor your logs – log all firewall activity to a separate syslog server, and review the logs as part of your normal daily routine

  5. Firewalls • Deny everything – best practice, nothing should be allowed inbound unless there is a valid documented business need for it. Restricting outbound traffic is also the smart thing to do, but it often comes with the heated debate between conveniences over security. Many firewalls default to allow everything outbound.

  6. Firewalls • Everything not mine is firewalled – any third-party devices or networks should be separated for your network by a firewall

  7. Firewalls • DMZ (Demilitarized Zone is a network that is neither inside nor outside the firewall • A middle ground network that is less restrictive than the inside network but more secure than the outside network

  8. Firewalls • Common DMZ Scenario

  9. Firewalls • Inside Network - can initiate connections to any other network, but no other network can initiate connections to it • Outside network - The outside network cannot initiate connections to the inside network but can initiate connections to the DMZ • DMZ - The DMZ can initiate connections to the outside network, but not to the inside network. Any other network can initiate connections into the DMZ

  10. Firewalls • One of the main benefits of this type of design is isolation • Should the email server come under attack and become compromised, the attacker will not have access to the users on the inside network • Servers in a DMZ should be locked down with security measures as if they were on the Internet

  11. Firewalls • Understanding how each service works will help you to understand how the firewall should be configured

  12. Firewalls • Email server - POP, IMAP, and SMTP (TCP ports 110, 143, and 25) should be allowed. All other ports should not be permitted from the Internet

  13. Firewalls • Web server - HTTP and HTTPS (TCP ports 80 and 443) should be allowed. All other ports should be denied from the Internet

  14. Firewalls • DNS server - Only DNS (UDP port 53, and, possibly, TCP port 53) should be allowed from the Internet. All other ports should be denied.

  15. Firewalls • Ideally, only the protocols needed to manage and maintain the servers should be allowed from the managing hosts inside to the DMZ • Traffic should not be allowed from the DMZ the inside network

  16. Firewalls • Another common DMZ implementation involves connectivity to a third party, such as a vendor or supplier

  17. Firewalls

  18. Access Lists • Access Control List (ACL) are made up of individual entries called access control entries (ACE) • Wildcard masks (also called inverse masks) are used in many devices for creating access lists • A wildcard mask is to match a range that can be described with a subnet mask (typical used on routers)

  19. Access Lists • A simple rules that will solve Classful subnet/wildcard mask is: • If the subnet mask has 0 replace it with 255 • If the subnet mask has 255 replace it with 0 • Subnet mask Matching wildcard mask • 255.0.0.0 0.255.255.255 • 255.255.0.0 0.0.255.255 • 255.255.255.0 0.0.0.255

  20. Access Lists • What if it is not a Classful subnet • 255.255.255.224 • The wildcard mask will be a derivative of the number of host addresses provided by the subnet mask minus one • So how many host are in this subnet?

  21. Access Lists • 255.255.255.224 • Last octet is 11100000 • So what is the power of two that represents the number of hosts?

  22. Access Lists • 255.255.255.224 or /27 • The last 5 bits represent the number of hosts • 25 = 32 – 1 =31 • So the wildcard mask is 0.0.0.31 27 26 25 24 23 22 21 20 128 64 32 16 8 4 2 1 11100000

  23. Access Lists • What would the wildcard mask be for 255.240.0.0

  24. Access Lists • What would the wildcard mask be for 255.240.0.0 • 1. Replace all 0 octets with 255 and all 255 octets with 0 • 0.240.255.255 • 2. 240 in the last octet of a subnet mask (255.255.255.240) would yield 16 hosts • 16 − 1 = 15 • The wildcard mask is 0.15.255.255

  25. Access Lists • So on a Cisco router this would be what a access control entry would look like to allow web traffic to a subnet 10.10.10.0/24 • Permit tcp any 10.10.10.0 0.0.0.255 eq www

  26. Access Lists • To make it more confuring this is what a Cisco ASA(firewall) ACE would look like for the same network • access-list GAD extended permit tcp any 10.0.0.0 255.255.255.0 eq www • Some equipment like NX-OS use CIDR • 10 permit tcp 10.10.10.0/24 any eq www

  27. Where to Apply Access Lists • So where should we apply the ACL?

  28. Where to Apply Access Lists • ACLs can be placed on either inbound on an interface or outbound • Inbound traffic is referred to as ingress • Outbound traffic is referred to as egress • In almost all cases you will place the ACL on the inbound of the interface (coming into the device)

  29. Where to Apply Access Lists • If you placed the ACL outbound on E0 the router would have to process the packet to then only drop them based on an ACL

  30. Hidden Rules • ACL are applied “Top Down” • Unlike routes which are applied as most specific ACL are applied as first match • This can cause the concept of hidden rules ip access-list extended GAD permit tcp any 10.10.10.0 0.0.0.255 eq www permit tcp any host 10.10.10.100 eq www permit tcp any host 10.10.10.100 eq domain • The second rule will be “hidden” by the first

  31. Object Grouping • Most devices allow objects to be “grouped” under a single name • Object groups allow a group of networks, IP addresses, protocols, or services • The name can then be used in a single ACL instead of writing multiple ACLs

  32. Firewalls vs. Routers • Routers typically use packet filtering on ACLs • As the ACLs get more complex on multiple interfaces ACE will need to be written to allow the traffic in and then allow the return packet to go back • These rules can become hard to manage

  33. Firewalls vs. Routers • Protocols like HTTP are not handled in a single packet • A request (and handshake with TCP) are sent over several packets then a reply is returned

  34. Firewalls vs. Routers • Routers can use the concept of reflexive access lists to create temporary permit statements that are a reflection of the original communication

  35. Firewalls vs. Routers • Firewalls use stateful inspection • Firewalls track the connection of the flow of data • An ACL on the inside interface allowing HTTP will allow the return traffic based on the client request happening first

  36. Network Address Translation • Motivation: local network uses just one IP address as far as outside world is concerned: • range of addresses not needed from ISP: just one IP address for all devices • can change addresses of devices in local network without notifying outside world • can change ISP without changing addresses of devices in local network • devices inside local net not explicitly addressable, visible by outside world (a security plus)

  37. Network Address Translation • Why use NAT? • You need to connect a network to the Internet and your hosts do not have globally unique IP addresses • You change over to a new ISP that requires you to renumber your network • Two intranets with duplicate addresses are now connected

  38. Network Address Translation • Two types of NAT Translation • Static translation occurs when you specifically configure addresses in a lookup table • A specific inside address maps into a prespecified outside address • Also called one-for-onemapping • Dynamic translation occurs when the NAT border router is configured to understand which inside addresses must be translated, and which pool of addresses may be used for the outside addresses

  39. Network Address Translation • In static NAT the device will always translate to the same external address • Most common use is for NAT servers running services to the Internet

  40. Network Address Translation • In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use • What happen if all the addresses in the pool are in use?

  41. Network Address Translation • In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use • What happen if all the addresses in the pool are in use?

  42. Network Address Translation

  43. NAT Advantages • NAT conserves the legally registered addressing scheme by allowing privatization of intranets, yet allows legal addressing scheme pools to be set up to gain access to the Internet. • NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, then the network was connected to the public network (which may use the same addressing scheme) without address translation, the potential for overlap exists globally.

  44. NAT Advantages • NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified as planners have more flexibility when creating an address plan. • Deprivatizationof a network requires renumbering of the existing network; the costs can be associated to the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and still supports the new assigned addressing scheme outside the private network.

  45. NAT Disadvantages • NAT increases delay • Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers • Performance may be a consideration because NAT is currently done using process switching • The CPU must look at every packet to decide if it has to translate it, and then alter the IP header and possibly the TCP header • It is not likely that this process will be easily cacheable.

  46. NAT Disadvantages • One significant disadvantage when implementing and using NAT is the loss of end-to-end IP trace ability • It becomes much harder to trace packets that undergo numerous packet address changes over multiple NAT hops • This scenario does, however, lead to more secure links because hackers who want to determine a packet's source will find it difficult, if not impossible to trace or obtain the origination source or destination address • This also means that you may have the same issue

  47. NAT Disadvantages • NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses • Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router • Sometimes this problem can be avoided by implementing static NAT mappings

  48. NAT Step 1 • User at host 10.1.1.1opens a connection to outside host B.

  49. NAT Step 2 • The first packet that the border router receives from host 10.1.1.1 causes the router to check its NAT table. If a translation is found because it has been statically configured, the router continues to the next step. • If no translation is found, the router determines that address 10.1.1.1must be translated. The router allocates a new address and sets up a translation of the inside local address 10.1.1.1to a legal inside global address from the dynamic address pool

  50. NAT Step 3 • The border router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.

More Related